3 Replies Latest reply: Oct 11, 2013 9:43 AM by Kary Tankink RSS

    McAfee HIPS

    romardy

      HIPS 8.0 blocks mspaint when IPS Options is enable. No visibility yet what other windows files it blocks but I disable the policy as temporary solution

       

      Is there an default IPS rules that are blocking mspaint?

       

      Thanks!

        • 1. Re: McAfee HIPS
          Kary Tankink

          Is there an default IPS rules that are blocking mspaint?

          HIPS 8.0 default configuration does not block anything, as Host IPS is off.  If you enable it, HIGH severity signatures are PREVENTED, which none block mspaint.exe.

           

          You might have enabled Signature 6011 (disabled by default), which enables application control in the product.  Check the HIPS Activity Log in the ClientUI for signature triggers for Mspaint.exe.

           

           

          KB67056 - Third-party application stops working or isimpaired after McAfee Host Intrusion Prevention is installed or content isupdated

          https://kc.mcafee.com/corporate/index?page=content&id=KB67056

          • 2. Re: McAfee HIPS
            romardy

            Once I enable Signature 6010 and set it to high, it blocks ultrasurf applications but it also makes mspaint to malfunction as well

             

            What I did is I added mspaint.exe to exception list and it is now working fine.

             

            What I was worried about is those not yet discovered that may also behave this way. I still need to wait for what other applications to be problematic before I can add it to the whitelist.

             

            Thanks for your help

             

            Message was edited by: romardy on 10/11/13 1:32:43 AM CDT
            • 3. Re: McAfee HIPS
              Kary Tankink

              FYI, in case you weren't aware of how the product functions normally.

               

              The design of the HIPS product is to tune IPS signatures for your environment.  Signatures should be tested in a test/lab environment first, tuned, then applied to production.  IPS events need to be continually monitored and the policy tuned (e.g., environment changes), as needed when new issues occur.  Signature 6010 and 6011 are specific to the Application Blocking functionality with the HIPS product.

               

              KB71794 - How to configure application blocking/hooking functionality with Host Intrusion Prevention 8.0

              https://kc.mcafee.com/corporate/index?page=content&id=KB71794

               

              KB73399 - FAQs for Host Intrusion Prevention 8.0

              https://kc.mcafee.com/corporate/index?page=content&id=KB73399

               

               

               

               

              Top Issues

              Client IPS/FAQ - IPS Events

              IPS signature events are one of the top call generators for the Host Intrusion Prevention (Host IPS) product. Normally, these inquires are the result of IPS Signature Event triggers. In general, Host IPS offers IPS and firewall protection for endpoint systems as part of a layered protection strategy. This layered protection strategy should include Network gateway firewall/intrusion systems or filtering, endpoint anti-virus, and endpoint anti-malware applications, in addition to Host IPS. 

              Host IPS signature content provides security to protect against known system vulnerabilities and unknown (zero-day) vulnerabilities. Zero-day is defined as the gap between unpatched systems and subsequently applying released security updates for confirmed vulnerabilities. Host IPS content contains generic buffer overflow and other generic signature mechanisms to protect systems during this zero-day gap period. However, McAfee recommends that you apply all operating system and application-specific security updates as soon as practical within your environment to reduce frequent or repeated IPS signature detections. 

              McAfee advises that you follow a general methodology for reviewing operating system and application-specific security updates, and also patch systems and applications on a monthly or regular basis. McAfee also advises that you review monthly Host IPS signature updates for correlation to specific vendor security updates that are released. Host IPS signatures mapping directly to vendor-available security updates can be safely disabled on updated systems. McAfee recommends that you review enabled signature content and system patching with available security updates monthly to reduce the likelihood of excessive false positives on already updated systems.

              Use the following general methodology when assessing IPS signature events:

              1. Identify the signature number that is being triggered.
              2. Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
              3. Review the References CVE description link(s), if any are included in the description information for that signature.
              4. Identify whether any Microsoft Technet Security Bulletins are linked for the applicable vulnerability, and identify whether any Microsoft security updates have been released that resolve the vulnerability.
              5. Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied (as noted above):

                1. If so, the applicable IPS Signature may be disabled on the systems having the associated Microsoft Security Updates applied.
                2. If not, McAfee recommends that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.
              6. If no CVE description links are noted for the triggering IPS signature, review all advanced details for the received IPS event.
              7. Identify whether the event triggers correlate to normal business usage or process.
              8. Identify whether the systems experiencing the event have all of the latest Microsoft Security Updates applied.
              9. Identify whether the IPS event is specific for a third-party process, such as Adobe or other non-Microsoft application, process, or other tool. If so, review all applicable security updates from the vendor and ensure they are applied on the systems.
              10. If the signature is still triggering after an applicable vendor security update has been applied, consider the event a false positive and either disable the signature to the updated systems, or create an IPS exception for the updated systems to stop all further signature detections.
              11. If there is no applicable vendor security update available, determine whether the affected systems have current anti-virus and anti-malware definitions for McAfee VirusScan or other installed endpoint protection application. Perform a full scan on the affected systems.
              12. Determine whether the affected systems are protected by other perimeter security measures, such as Network Intrusion Detection.
              13. Enable verbose debug logging by enabling Log security violations for Host IPS so advanced information can be collected in the HipShield.log. See article KB54473 for relevant information regarding IPS security violations in the HipShield.log.
              14. Contact McAfee support for further analysis.